Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Possible TrojanDownloader:Win32/Purstiu.A [RESOLVED]

Kiril

Posted 25 July 2005 - 06:24 PM

Kiril

New Member

Member

9 posts

I had some problems with mallware and after I did everything suggested in ditto's topic my system continue to generate a windows explorer error report every 3-4 seconds which is extremely annoying. When I send the error report to Microsoft a suggestion appeared that this might be TrojanDownloader:Win32/Purstiu.A. Here's the log:

Advertisements

Guest_usetobe_*

Posted 26 July 2005 - 02:05 AM

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread

**********************************************************************************HKEY ROOT CLASSIDS:**********************************************************************************Files Found are not all bad files:

Guest_usetobe_*

Posted 26 July 2005 - 03:44 AM

Guest_usetobe_*

Guest

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

The following are the files found: ****************************************************************************

Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. ****************************************************************************REGEDIT4

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

Click on scanner

Click on Complete System Scan and the scan will begin.

NOTE: During some scans with ewido it is finding cases of false positives.

You will need to step through the process of cleaning files one-by-one.

If ewido detects a file you KNOW to be legitimate, select none as the action.

DO NOT select "Perform action on all infections"

If you are unsure of any entry found select none for now.

When the scan is finished, click the Save report button at the bottom of the screen.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked! Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.Let us know if any problems persist.

Kiril

Posted 26 July 2005 - 10:54 AM

Kiril

New Member

Topic Starter

Member

9 posts

No other signs of mallware left except that error report which continues to appear every few seconds and it seems like it restarts the explorer because every open explorer window closes and the desktop vanishes for 2-3 seconds. All other software is functioning normally. Same thing happens in saffe mode.Here are the logs:

Guest_usetobe_*

Posted 26 July 2005 - 02:10 PM

Guest_usetobe_*

Guest

Open Notepad, and copy everything in the code box below and paste it into a new notepad file. Change the "Save As Type" to "All Files". Save it as fixme.reg on your Desktop. Make sure there is NO blank line above "REGEDIT4"!

REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\SHUDDERLTD\PSGUARD]

Locate fixme.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.

Download Silent RunnersUnzip it to a permanent folder.Start SilentRunners.vbsWhen your antivirus is giving an alert, do not block this. Allow the script.Copy and paste the content of the txtfile you get afterwards in your next reply.

----------+ This report excludes default entries except where indicated.+ To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter.+ The search for DESKTOP.INI DLL launch points on all local fixed drives took 54 seconds.+ The search for all Registry CLSIDs containing dormant Explorer Bars took 35 seconds.---------- (total run time: 157 seconds)